Attackers using new technique to bring down websites

NTP-amplification new weapon of choice

Earlier this week a number of high-profile gaming services were taken down by distributed denial-of-service attacks (DDoS) that used a technique not seen before.

Instead of directly flooding the targeted services with torrents of data, an attack group calling itself DERP Trolling sent smaller-sized data requests to time-synchronisation servers running the Network Time Protocol.

They manipulated these requests to seem like they were originating from the gaming sites they intended to attack. This resulted in an amplified response, one request containing 8 bytes and was increased to one of 467 bytes, an increase of more than 58 times.

"Prior to December, an NTP attack was almost unheard of because if there was one it wasn't worth talking about," Shawn Marck, CEO of DoS-mitigation service Black Lotus, said. "It was so tiny it never showed up in the major reports. What we're witnessing is a shift in methodology."

Three times the effect

NTP reflection accounted for about 69 per cent of all DoS attack traffic by bit volume. The average size of these attacks was 7.3 gigabits per second, more than three times the average DDoS attack observed in December.

NTP servers help people synchronize their servers to very precise time increments. Recently, the protocol was found to suffer from a condition that could be exploited by DoS attackers. Luckily, NTP-amplification attacks are easy to repel, since virtually all NTP traffic can be blocked without any major negative consequences to the targeted site.

Black Lotus recommends network operators follow several practices to blunt the effects of NTP attacks. They include using traffic policers to limit the amount of NTP traffic, implementing large-scale DDoS mitigation systems, or opting for service-based approaches that provide several gigabits of standby capacity for use during DDoS attacks.